k8s aligned GPM view permissions

[DrackThor]

Hello Team,

first and foremost - awesome project, thank you very much! 😄
I would like to ask for/propose a new security enhancement: GPM permissions based on k8s roles.
My team was recently discussing about the fact that everybody with access to GPM can see all policy violations across all namespaces.
It would be great for us to have some kind of restriction method to let users only see violations of workloads they can see in the cluster as well.

Thanks in advance!

[niccoloraspa]

Hi @DrackThor,
we are glad that you find GPM useful and thanks for submitting the issue.

Regarding your proposal, I like the idea. We will have a talk internally and see if it's feasible.

Happy coding,
Nick

[ralgozino]

Hi @DrackThor !

This would be kind of tricky to implement actually because GPM is a Server Side Rendered application (so you would have to pass the credentials every time or something like that). I get where you are coming from though.

You can always limit the access to GPM using the supported OIDC authentication, if you want something more granular, like letting some people access the /constraints view but only admins the /constrainttemplates view you can do it with your ingress using something like pomerium (see this for example).

I'll leave the issue open so we can revisit it in the feature.

Thanks for reaching out! keep the suggestions coming :-)
Ramiro.